Proposed Security Model and Threat Taxonomy for the

Internet of Things (IoT)

Sachin Babar∗, Parikshit Mahalle, Antonietta Stango, Neeli Prasad,
and Ramjee Prasad

Center for TeleInFrastruktur, Aalborg University, Aalborg, Denmark

Abstract. IoT is an intelligent collaboration of tiny sensors and devices giving
new challenges to security and privacy in end to end communication of things.
Protection of data and privacy of things is one of the key challenges in the IoT.
Lack of security measures will result in decreased adoption among users and
therefore is one of the driving factors in the success of the IoT. This paper gives
an overview, analysis and taxonomy of security and privacy challenges in IoT.
Finally, Security Model for IoT has been proposed.

Keywords: Security, Privacy, Internet of Things, trust, authentication, authori-

1 Introduction

The Internet has undergone severe changes since its first launch in the late 1960s as
an outcome of the ARPANET with number of users about 20% of the world popula-
tion. “7 trillion wireless devices serving 7 billion people in 2017”. This vision reflects
the increasing trend of introducing micro devices and tools in future i.e. IoT. In such
ambient environment not only user become ubiquitous but also devices and their
context become transparent and ubiquitous. With the miniaturization of devices, in-
crease of computational power, and reduction of energy consumption, this trend will
continue towards IoT[1]. One of the most challenging topics in such an intercon-
nected world of miniaturized systems and sensors are security and privacy aspects.
Having every ‘thing’ connected to the global future IoT communicating with each
other, new security and privacy problems arise, e. g., confidentiality, authenticity, and
integrity of data sensed and exchanged by ‘things’.
This paper is structured as follows : Section 2 talks about the IoT objectives with
detailed description of each. Section 3 focuses on the security requirements in terms
of privacy, trust and authentication for IoT. Section 4 describes the possible threats to
IoT. Section 5 analyzes related work for IoT security. Section 6 proposes a security
model for IoT. Section 7 concludes the paper.

Corresponding author.

N. Meghanathan et al. (Eds.): CNSA 2010, CCIS 89, pp. 420–429, 2010.
© Springer-Verlag Berlin Heidelberg 2010

To support mobility and routing the next generation Internet must provide ways to name and route to a much richer set of network ele- ments than just attachment points. 2. or if they can. may suffer from performance degradation due to the additional overhead associ- ated with network protocols that were originally designed for static infrastructure computing. hierar- chical topology structure.3 Content and Service Access A new architecture should provide data cleansing mechanisms that prevent corrupted data from propagating through the sensor network. Several mobile/wireless features may require mechanisms that cannot be implemented through the conventional IP framework for the Internet. it is well suited to a static. are associated with new network service requirements that motivate rethinking of several Internet archi- tecture issues. 1 shows the IoT Objectives followed by their description.2 Device Discovery and Network Discovery The current Internet is text-dominated with relatively efficient search engines for discov- ering textual resources with manual configuration. IoT Objectives 2. Fig. A clean architectural separation between name and routable address is a critical requirement [2]. pervasive system and sensor network. services that maintain . 1. The new architecture must sup- port methods for the registering of a new sensor system in the broader network [3]. In particular.1 Naming and Addressing Today’s Internet addressing scheme is rather rigid. 2. Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT) 421 2 IoT Objectives The IoT scenarios. Fig. like individual wireless device interfacing with internet. We discuss a set of objectives related to the networking requirements of the representative IoT scenarios identified earlier. An Internet dominated by unstruc- tured information supplied from large numbers of sensor devices must support efficient mechanisms for discovering available sensor resources. constella- tion of wireless devices. It provides a very efficient way to label (and find) each device interface in this hierarchy.

Scale. These devices are convenient. the detection of communication patterns unique to a specialized device allows users to be profiled[5]. Babar et al. As a result. These devices typically connect to the rest of the Internet via a wide range of wireless links. Diversity. Embedded Use. Major IoT devices have a single use (e. metadata. e. During these times. . Bluetooth and 802. 2. with minimal latency. wireless devices should be able to operate stably in modes disconnected from the rest of the infrastructure.11 device addresses. Wireless.11. IoT devices are mobile and often generally connect to the Internet via a large set of providers. any nearby observer can intercept unique low-level identifiers that are sent in the clear. including Bluetooth. One pa- rameter uniquely associated with wireless networks is the notion of location. 2. This could be realized through obtaining context information. These devices span a range of computational abilities from full-fledged PCs to low-end RFID tags.422 S. Privacy designs must accommodate even the simplest of devices. device calibration and monitor/detect adversarial manipulation of sensor devices should be integrated into sensor networks. blood pressure or heart monitors and household appliances). there may be times during which the connection of a wireless device or network to the Internet is not available.. At the most basic level. and increasingly em- bed network connectivity into everyday settings. These key properties are listed below: Mobility. 802. and statistical techniques to locally detect faulty inputs.5 Security and Privacy Wireless networks can be expected to be the platform of choice for launching a variety of attacks targeting the new Internet. WiMAX. In particular. 3 Security Requirements 3. In particular. This makes it difficult for users to monitor privacy concerns.4 Communication Wireless devices should be able to operate independently of the broader Internet.g. as well as be able to opportunistically establish "local" ad-hoc networks using their own native protocols. With wireless communications.. Zigbee and GSM/UMTS. Location information provided by the network should be trustworthy [4].g. Additionally the archi- tecture should provision hooks for future extensions to accommodate legal regulations. this means that issues such as authorization and updat- ing the device state should be seamless. growing in number daily. wireless devices will likely have evolving naming and addressing schemes and it will be necessary to ensure that the names and addresses that are used are verifiable and authenticated.1 Key Properties of IoT There are a number of key properties of IoT that create several issues for security and raises additional requirements for security.

as well as secure implementations for the various kinds of mostly re- source constrained devices. scalability and heterogeneity of devices • Networked knowledge and context • Privacy. integrity. Measures need to be taken that only the information provider is able to infer from observing the use of the lookup system related to a specific customer. Fig.3 High Level Security Requirements In business process. 2. at least. 3. and authenticity. High level Security Requirements for IoT . Fig. security and trust will have to be adapted to both devices and information This will involve the development of highly efficient cryptographic algorithms and protocols that provide basic security properties such as confidentiality. Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT) 423 3. retrieved address and object information must be authenticated. inference should be very hard to conduct. 2 summarizes the high level security requirements for IoT. The system has to avoid single points of failure and should adjust itself to node failures. Data authentication. • Management. security requirements are described as follows : Resilience to attacks. Access control.2 Challenges Following are the challenges which need to be tackled in the world of pervasive devices. Client privacy. Information providers must be able to implement access control on the data provided. As a principle.

Secure execution environment. Some examples are: De-packaging of chip. Content security or Digital Rights Management (DRM) protects the rights of the digital content used in the system. Tamper resistance. Babar et al. Secure network access. failure messages. Secure data communication. Identification covers determination of unique device/user/session with authentica- tion. Secure content. runtime envi- ronment designed to protect against deviant applications. This provides a network connection or service access only if the device is authorized. and/or other commands. ensur- ing confidentiality and integrity of communicated data. It includes authenticating communicating peers. It refers to a secure. Communication threats covers a Denial-of-Service attack (DoS) and it occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests. preventing repudiation of a communication transaction. Identity Management. Availability. accounting and provisioning. Layout reconstruction. User identification. managed-code. 3 presents threat taxonomy to understand and assess the vari- ous threats associated with the use of IoT [6]. IoT security is primarily a management issue. Some types of Physical attack requires expensive material because of which they are relatively hard to per- form. and protecting the identity of communicating entities. It is broad administrative area that deals with identifying individuals / things in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity. This involves confidentiality and integrity of sensitive information stored in the system. Secure storage. Effective management of the threats associated with IoT requires a sound and thorough assess- ment of risk given the environment and development of a plan to mitigate identified threats. Although the implementation of technological solutions may respond to IoT threats and vulnerabilities.424 S. It refers to the desire to maintain these security requirements even when the device falls into the hands of malicious parties. Availability refers to ensuring that unauthorized persons or systems cannot deny access or use to authorize users. authorization . It refers to the process of validating users before allowing them to use the system. premature successful connection messages. . Following Fig. and can be physically or logically probed. Physical threat includes micro probing and reverse engineering causing serious secu- rity problem by directly tampering the hardware components. 4 Security and Threat Taxonomy for IoT IoT is coupled with new security threats and alters overall information security risk profile. Micro-probing.

Examples of identity certificate frameworks include Public Key Infrastructures (PKIs). Threats Taxonomy for IoT Embedded Security threat model will span all the threats at physical and MAC layer. Security threats like device and data tampering. etc will be the concerns at device level. which are certificates that bind a public key to an identity. We must also be careful in choosing which cryptographic components to use as the building blocks since.1 Identity Certificate Frameworks These frameworks allow users without prior contact to authenticate to each other and digitally sign and encrypt messages. Some of the frameworks described can be used to provide several functions as shown in Table 1. It will provide methods for controlling the identification and authentication of users and for administering which authenticated users are granted access to protected resources. authentication and authorization. bus monitor- ing. the cipher texts for some public key encryption schemes can reveal identifying information about the intended recipient . Side channel analysis. They are based on identity certificates. .14] and Pretty Good Privacy (PGP). Storage management has crucial impact on the key management to achieve confi- dentiality and integrity. 5 Related Work Security framework for IoT will mainly include architectures for providing and man- aging access control. for example. [8. 5. 3. Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT) 425 Fig.

Liberty Alliance [12]: a consortium that aims to establish open standards. which forms part of the Web Services Security framework.426 S.3 Identity Federation Federated Identity allows users of one security domain to securely access resources on another security domain. VeriSign. without the need for another user account. Example SSO frameworks include: Kerberos a distributed authentication service. Table 1. OpenID [11]: an authentication framework that allows users to login to different web sites using a single digital identity. guidelines and best practices for federated identity management. Babar et al.4 User-Centric Identity Management User-centric identity management is a design principle that focuses on usability and cost-effectiveness from the user’s point of view. Users register with an authentication server in their own domain and other domains trust its assertions. WS-Federation [13]: a federated identity standard developed by Microsoft.2 Single Sign-On Single sign-on (SSO) allows users to be authenticated only once in a system. Framework No. State of Art Evaluation Identity Certificate Federated Identity Device Security Single Sign-on Management User-centric Sr. BEA and RSA Security. eliminating the need to have different usernames and passwords for each site. which provides SSO within a single administrative domain. 5. Windows Live ID [10]: an Internet-based SSO framework used by Microsoft applica- tions and web services such as MSN messenger. There are three main approaches to . IBM. Users can then access all resources for which they have access permission without entering multiple passwords. 5. 1 PKI[7] √ 2 PGP[8] √ 3 Kerberos[9] √ 4 Windows Live ID[10] √ √ 5 OpenID[11] √ √ 6 Liberty Alliance[12] √ √ √ 7 WS-Federation[13] √ √ 5.

Security Model for IoT 7 Conclusion The incremental deployment of the technologies that will make up the IoT must not fail what the Internet has failed to do: provide adequate security and privacy mecha- nisms from the start. trust and privacy in the IoTS. 6 Proposed Security Model for IoT Integrated and interrelated perspective on security. The device-resident software is embedded into devices at the time of manufacture. 5. is not only complex but also composite in nature. Therefore a cube is an ideal modeling structure for depicting the convergence of security. It is clear that the type and structure of information required to grant/reject such an access request is complex and should address the following IoT issues: security (authorization). privacy can potentially de- liver an input to address protection issues in the IoT. informa- tion cards [15].g. required to grant/reject access requests. privacy(respondent). In IoT access information. trust(reputation). This is de- picted in figure 4. This is a direct result of the high level of interconnectedness between things. Therefore we have chosen a cube structure as a modeling mechanism for security. 4. Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT) 427 user-centric identity management that are Managing multiple identities e. A cube has three dimensions with the ability to clearly show the intersection thereof. trust and privacy for the IoT.g. trust. services and people. referred to as IoT. We must be sure that adequate security and privacy is available .5 Device Security The Device Security Framework includes device-resident security software as well as security capabilities delivered across the network. Giving users a single identity e. OpenID and lastly Giving users control over access to their resources. Fig.

New York (2004) 6. we presented key challenges like identity management. In: Information Assurance Workshop. In: Proceedings of the ACM SIGCOMM Asia Workshop (2005) 5. B. The extent of the summary of the software is decided by the program encrypting the data. In: Proceedings of the 41st Annual Design Automation Conference. P. De- cember 12-15.428 S.aspx/ .J. Thesis (1978). This allows a third party to verify that the software has not been changed. Kocher. Beerliova. Man and Cybernetics Society. Hu. ACM. 186–201. Mihalák. http:// dspace. before the technology gets deployed and becomes part of our daily live. Adjie-Winoto. Lathrop. South Carolina.ietf. pp. We see this (1) as a basis for coming up with an integrated systems ap- proach for security and privacy in the Internet of Charleston. Lilley. Wang. Neuman. or another trusted key descended from it. Ire- land.: Developing network software and communications protocols to- wards the internet of things. Ts’o. Eberhard. Kohnfelder. In: Proceedings of the Fourth International ICST Conference on Communication System Software and MiddlewaRE. References 1. pp. Silverajan.: Security as a new dimension in em- bedded system design.. E.. Public-Key Infrastructure ( 8. Hoffmann. http://tools.S.1/15993/07113748. McGraw.. J. F. D. L... R. A.: Towards a Practical Public Key System. "Bind- ing" encrypts data using the TPM endorsement key. L.. Furthermore.: The design and implementa- tion of an intentional naming system. Y. June 16-19. COMSWARE 2009. Dublin. Balakrishnan.. Security requirement and threat taxonomy insist to go for Trusted Platform Module which offers facilities for the secure generation of cryptographic keys. Z. IEEE Journal on Selected Areas in Communica- tions 24(12). San Diego.. http://msdn. Erlebach. ACM. New York (1999) 3. A. New York (2009) 2. Introduction to Windows Live ID. USA. June 18-20. It also includes ca- pabilities such as remote attestation and sealed storage.: Kerberos: an authentication service for computer networks. H.. T. a unique RSA key burned into the chip during its production. 33–38 (1994) 10. Babar et al.. Schwartz. IEEE Communications Magazine 32(9). download. H. Wireless security threat taxonomy. Raghunathan. and (2) as stimulator for discussion on the categorization and sensitivity rating in the IoT.: Network Discovery and Verification.. 1–8.pdf 9.M. in addition to a hardware pseudo-random number generator. G. and limitation of their use. June 7-11. "Remote attestation" creates a nearly unforgeable hash key summary of the hardware and software configuration..: Location Privacy in Wireless Networks. SOSP 1999. 753–760. 76–83 (2003) 7. IEEE Systems. 2168–2181 (2006) 4. pp. Hall. S. US. T.. W. pp. embedded security and authenti- cation in the IoT. In this paper we presented a categorization of topics and technologies in the IoT with analysis of sensitivity and state in research to different security and privacy properties. B. Harju. CA. Lee. In: Proceedings of the Seventeenth ACM Sympo- sium on Operating Systems Principles. J.C.. DAC 2004. M. Welch.509).

pdf 14. http://xml. http://msdn. Bhalla. D.Y. Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT) 429 11.html 12.: Introducing Windows CardSpace. OpenID.: Understanding WS-Federation (2007).S. http://openid. 120– 122 (2005) 15. Shim. LibertyAllianceArchitecture200303. http://msdn. S. Introduction to the Liberty Alliance Identity Architecture (2003).: Federated identity management. IEEE Computer 38(12). Chappell. M.aspx .coverpages.